All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
IPSEC VPN on Ubuntu 15.04 with StrongSwan
This is a guide on setting up an IPSEC VPN server on Ubuntu 15.04 using StrongSwan as the IPsec server and for authentication. It has a detailed explanation with every step. We choose the IPSEC protocol stack because of vulnerabilities found in pptpd VPNs and because it is supported on all recent operating systems by default.
Why a VPN?
More than ever, your freedom and privacy when online is under threat. Governments and ISPs want to control what you can and can't see while keeping a record of everything you do, and even the shady-looking guy lurking around your coffee shop or the airport gate can grab your bank details easier than you may think. A self hosted VPN lets you surf the web the way it was intended: anonymously and without oversight.
A VPN (virtual private network) creates a secure, encrypted tunnel through which all of your online data passes back and forth. Any application that requires an internet connection works with this self hosted VPN, including your web browser, email client, and instant messaging program, keeping everything you do online hidden from prying eyes while masking your physical location and giving you unfettered access to any website or web service no matter where you happen to live or travel to.
This tutorial is available for the following platforms:
- Raspberry Pi with Arch Linux ARM
- CentOS 7, Scientific Linux 7 or Red Hat Enterprise Linux 7 (IKEv2,no L2TP)
- CentOS 6, Scientific Linux 6 or Red Hat Enterprise Linux 6
- Ubuntu 15.04, (IKEv2,no L2TP)
- Ubuntu 14.04 LTS
- Ubuntu 13.10
- Ubuntu 13.04
- Ubuntu 12.10
- Ubuntu 12.04 LTS
This tutorial was written and tested on a Digital Ocean VPS. If you like this tutorial and want to support my website, use this link to order a Digital Ocean VPS: https://www.digitalocean.com/?refcode=7435ae6b8212. You will get $10 free credit, which is equal to two months of a free $5 VPS.
IPSEC encrypts your IP packets to provide encryption and authentication, so no one can decrypt or forge data between your clients and your server. It also provides a tunnel to send data to the server.
This VPN setup is called a road-warrior setup, because clients can connect from anywhere. Another much used VPN setup is called site-to-site, where two VPN servers connect two networks with one another. In a road warrior setup your local network isn't shared, but you do get access to the server's network.
To work trough this tutorial you should have:
- 1 Ubuntu 15.04 server with at least 1 public IP address and root access
- 1 (or more) clients running an OS that support IPsec IKEv2 vpns (Ubuntu, Mac OS, Windows 7+, Android 4+).
- Ports 4500/UDP, 500/UDP, 51/UDP and 50/UDP opened in the firewall.
I do all the steps as the root user. You should do to, but only via sudo -i
or su -
.
No L2TP?
The previous tutorials all used L2TP to set up the VPN tunnel and use IPSEC only for the encryption. With the IKEv2 protocol and newer operating systems (like OS X 10.8+, Android 4+, iOS 6+ and Windows 7+) supporting IKEv2 we can also use IPSEC to set up the tunnel, before we used IPSEC to do that.
This VPN will therefore not work out of the box on older operating systems. See my other tutorials with L2TP on how to do that.
Overview
The tutorial consists out of the following steps:
- Install packages
- Generate certificates
- Configure IPSEC
- Configure Firewall
Android and Windows client configuration is covered at the end of the tutorial.
Comments
Ubuntu 15.10 and 16.04 beta are in the making by the way.
Thanks for the awesome tutorial! Will be sure to use it
Big kudos to you again Raymii. Since the 18th Dec Germoney started.... to store anything people do on the Internet again and also mobile communication. This guides come in handy although at the moment I do use SoftEther with L2TP/IPsec.
Any advantage to using this over OpenVPN? It uses static ports right that could easily be blocked? It's previous advantage was that it was baked into most devices like PPTP and you had to root your device to get OpenVPN installed. But now there ate official, non-rooting OpenVPN clients out for mobile so I'm wondering what the appeal would be to using this.
Support baked in all major operating systems. From a sysadmin standpoint that is a big plus since you don't also have to manage all kinds of clients. You can deploy this with GPO's or MDM software, instead of manually doing some install of some third party app.
Configurability, this supports both road-warrior and site-to-site connections, and connects to all kinds of backends through eap (like radius), and most *NIX admins are familiair with some kind of *SWAN.
OpenVPN is fine as well, nothing wrong with it. And, if your goal is personal use (or GFW evasion) and you're willing to install third party apps or even root your device, then go ahead and use the AS, you even get a nice interface then.
The companies I've worked for all use(d) some kind of *SWAN which hooked in to existing infrastructure (radius, AD/LDAP), so that's what I'm most familiar with.
To which country do you tunnel?
Not any better but to USA due to content restrictions I need to bypass at the same time anyway. Might as well create one on my Lithaunia VPS.
Tanks for the tutorial.
Just a tip: Maybe you need to highlight the parts that aren't copy & paste a little bit more?
Which, as you should know, does not matter at all anyway - According to your G8 law and the access as per constitution for the BND they save/analyse up to 30% of local sourced traffic anyway, and no that is not just the metadata....
Didn't know. Thanks for the information. I wish them good luck.
Not afraid of BND, they pay the same income as any gov agency (= rather high and low taxed, but less than you can easily earn in private industry) so they don't get any good "hackers" or even good IT staff at all anyway.
Not that would matter. They redirect traffic to NSA anyway.
Thanks Raymii for the nice tutorial.
For those who prefer IPsec/L2TP VPN over pure IPsec, use my "one-click" VPN script.
Very good explanation... Thanks so much for the detailed response.
No problem, I prefer to have an actual discussion